The IESG has approved the following document: - 'Compact Denial of Existence in DNSSEC' (draft-ietf-dnsop-compact-denial-of-existence-07.txt) as Proposed Standard
This document is the product of the Domain Name System Operations Working Group. The IESG contact persons are Warren Kumari and Mahesh Jethanandani. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/ Technical Summary This document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimal NSEC record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure. This document updates RFC 4034 and 4035. Working Group Summary This draft had broad support in the WG. It optimizes for a specific but common situation in the use of DNSSEC, and has clearly defined benefits (reduced answer sizes and reduced cryptographic overhead). While there was some concern that it offers yet another tweak to DNS this one was judged acceptable because it’s based on clear specification, is already in production use in the DNS, and shows clear benefits. There were some changes made in response to IETF LC comments, and the NSEC section as added. We confirmed with the WG that there is still concensus to publish - https://mailarchive.ietf.org/arch/msg/dnsop/svJk9Y831F7PtcxD_8I9pmadZ18/ Document Quality Cloudflare, NS1, and Amazon Route53 currently implement the Compact Denial of Existence method. From early 2021 until November 2023, NS1 had deployed the Empty Non-Terminal distinguisher [ENT-SENTINEL] using the private RR type code 65281. A version of the NXNAME distinguisher using the private RR type code 65238 was deployed by both Cloudflare (from July 2023) and NS1 (from November 2023) until roughly September 2024. Since September 2024 both Cloudflare and NS1 have deployed NXNAME using the officially allocated code point of 128. At the current time, there are only prototype implementations of the signaled rcode restoration scheme. Personnel Suzanne Woolf is DS. Warren "Ace" Kumari is RAD!!!!!! RAD I tell you!!!! _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
